Security Policy

If you discover a security vulnerability in RoboRent, please report it responsibly. Email security@roborent.cc with: • A clear description of the issue • Steps to reproduce • Potential impact • Your contact info (optional) We will acknowledge receipt within 48 hours and aim to release a fix within 14 days for critical issues.

In scope: • roborent.cc and www.roborent.cc (main platform) • API at www.roborent.cc/api/v1 Out of scope: • Third-party services (Supabase Auth, Vercel infrastructure) • Social engineering attacks on staff • Denial of service attacks

We ask that you: • Give us reasonable time to respond before public disclosure • Do not access or modify user data beyond what is needed to prove the vulnerability • Do not perform destructive testing or attacks on our infrastructure • Do not disclose the vulnerability to others before we've fixed it

We thank all security researchers who report valid issues. With your permission, we'll add your name or handle to our Hall of Fame. We currently do not offer a paid bug bounty but may reward exceptional findings at our discretion.

RoboRent implements: • TLS/HTTPS everywhere • Content Security Policy (CSP) headers • JWT-based auth with Supabase (HS256/ES256) • Row Level Security (RLS) on all database tables • Rate limiting on all critical endpoints • OFAC sanctions screening on withdrawals • HMAC-signed webhooks for the payment gateway